BYOD or Bring-Your-Own- … Ostrich?
When it comes to the bring-your-own-device (BYOD) movement, there are essentially two types of organizations: Those that have programs in place to support it; and those that pretend that, because they have forbidden the practice, it isn’t happening. In the latter group, in which employees are doubtless bringing their own devices, the IT professionals tasked with network security have brought their own ostrich — and its head is buried firmly in the sand.
We all know that mobile devices such as smartphones and tablets bring additional risks. The same can be said of any employee-owned device, including laptops and desktops. Would we like to minimize risk? Of course. But which of the following is riskier?
- Letting employees who may know little about threats or mitigation strategies sort out what the most appropriate defenses are, install the proper tools, configure them for optimal usability/security and maintain all this in the face of an ever-changing backdrop of newly-discovered vulnerabilities and attack types.
- Letting subject matter experts chart the course and enable members of the user community to focus on their daily jobs.
Bear in mind that there is not a third option since the devices will inevitably make their way into the environment in one way or another. The only question is whether firms want the employees bringing in these devices to decide on a security strategy for themselves or to allow professionals to provide the necessary training and infrastructure to guide the process.
A Brief History Lesson
Remember when all computing was done under tightly controlled environments? All computers were on raised floors behind access-controlled doors, with security guards logging everyone’s comings and goings, all under constant surveillance by security cameras. (Alright, so maybe some of you don’t remember this. Just take my word for it. It really happened.)
Then, the first PCs burst onto the scene, and the idea that sensitive data might now sit on or under someone’s desk in an open cubicle caused the security department to break out in hives. As if that weren’t enough; laptops soon started showing up, and it was as if the data center had grown legs and could now be carried to and from external meetings just as easily as it could end up at the beach with an employee wanting to check email from time to time while on vacation. Worse still, this precious resource could get nabbed from a hotel room or car seat and wind up in the hands of a competitor in short order. By that point, the hives were breaking out in hives of their own.
But, as we all know, it didn’t stop there. Now, we have mobile devices with the power and storage capacity of yesterday’s mainframes in a size that fits conveniently in an employee’s pocket — or on the floor of the taxi that employee took an hour ago. At this point, the medical analogies fail me.
The point is that, with each turn of the technological crank, doomsayers have predicted the end of IT security as we know it; and yet, life goes on. Not only has the world not come to an end, but smart organizations have figured out how to ride the waves of new technology and improve their competitiveness in the process. When viewed from this historical perspective, it becomes clear that those companies that figure out how to leverage change and manage risk are going to be the winners. The others? Well, we will get to read about them in the history books.
BYOD Is Just the Beginning
It’s not only devices that employees are introducing into the equation; it’s also public cloud services such as iCloud, Gmail, Dropbox, Evernote and so on. In fact, the more we move to mobile devices with always-on Internet connections, the more we are going to leverage these capabilities because they were made for each other. Any attempt to pre-emptively block all public cloud services is just as likely to fail as an attempt to prohibit the use of smartphones and tablets for business purposes. The better strategy is, once again, to figure out how to get out in front of the trend and exercise prudent control over how these devices and services can be used in a secure manner instead of simply forbidding them and running the risk of driving their use underground, where you will no longer have the ability to influence how they are used.
In the end, users are going to bring their own devices, clouds and anything else that awaits on the technological horizon. The only question is whether you also want them to bring their own security as well while the organization chooses to hang out with the ostriches.
Distinguished Engineer & IT Security Architect, IBM